IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

security: fix dir traversal issue

Browse Source
This commit is contained in:
Kyle Brandt 2021-12-03 12:05:38 -05:00
parent 914fcedb72
commit 00e38ba555
2 changed files with 42 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/api/plugins.go
View File

@ -281,14 +281,26 @@ func (hs *HTTPServer) getPluginAssets(c *models.ReqContext) {
return return
} }
requestedFile := filepath.Clean(web.Params(c.Req)["*"]) requestedFile := filepath.Clean(filepath.Join("/", web.Params(c.Req)["*"]))
pluginFilePath := filepath.Join(plugin.PluginDir, requestedFile) rel, err := filepath.Rel("/", requestedFile)
if err != nil {
// this should not never fail
c.JsonApiErr(500, "Relative path found", err)
return
}
if !plugin.IncludedInSignature(requestedFile) { if !plugin.IncludedInSignature(rel) {
hs.log.Warn("Access to requested plugin file will be forbidden in upcoming Grafana versions as the file "+ hs.log.Warn("Access to requested plugin file will be forbidden in upcoming Grafana versions as the file "+
"is not included in the plugin signature", "file", requestedFile) "is not included in the plugin signature", "file", requestedFile)
} }
absPluginDir, err := filepath.Abs(plugin.PluginDir)
if err != nil {
c.JsonApiErr(500, "Failed to get plugin absolute path", nil)
return
}
pluginFilePath := filepath.Join(absPluginDir, rel)
// It's safe to ignore gosec warning G304 since we already clean the requested file path and subsequently // It's safe to ignore gosec warning G304 since we already clean the requested file path and subsequently
// use this with a prefix of the plugin's directory, which is set during plugin loading // use this with a prefix of the plugin's directory, which is set during plugin loading
// nolint:gosec // nolint:gosec

27
pkg/api/plugins_test.go
View File

@ -23,9 +23,13 @@ func Test_GetPluginAssets(t *testing.T) {
pluginDir := "." pluginDir := "."
tmpFile, err := ioutil.TempFile(pluginDir, "") tmpFile, err := ioutil.TempFile(pluginDir, "")
require.NoError(t, err) require.NoError(t, err)
tmpFileInParentDir, err := ioutil.TempFile("..", "")
require.NoError(t, err)
t.Cleanup(func() { t.Cleanup(func() {
err := os.RemoveAll(tmpFile.Name()) err := os.RemoveAll(tmpFile.Name())
assert.NoError(t, err) assert.NoError(t, err)
err = os.RemoveAll(tmpFileInParentDir.Name())
assert.NoError(t, err)
}) })
expectedBody := "Plugin test" expectedBody := "Plugin test"
_, err = tmpFile.WriteString(expectedBody) _, err = tmpFile.WriteString(expectedBody)
@ -61,6 +65,29 @@ func Test_GetPluginAssets(t *testing.T) {
}) })
}) })
t.Run("Given a request for a relative path", func(t *testing.T) {
p := plugins.PluginDTO{
JSONData: plugins.JSONData{
ID: pluginID,
},
PluginDir: pluginDir,
}
service := &fakePluginStore{
plugins: map[string]plugins.PluginDTO{
pluginID: p,
},
}
l := &logger{}
url := fmt.Sprintf("/public/plugins/%s/%s", pluginID, tmpFileInParentDir.Name())
pluginAssetScenario(t, "When calling GET on", url, "/public/plugins/:pluginId/*", service, l,
func(sc *scenarioContext) {
callGetPluginAsset(sc)
require.Equal(t, 404, sc.resp.Code)
})
})
t.Run("Given a request for an existing plugin file that is not listed as a signature covered file", func(t *testing.T) { t.Run("Given a request for an existing plugin file that is not listed as a signature covered file", func(t *testing.T) {
p := plugins.PluginDTO{ p := plugins.PluginDTO{
JSONData: plugins.JSONData{ JSONData: plugins.JSONData{